Keyring backend, that automatically retrieves credentials for Azure Artifacts.
Project description
Keyring for Azure DevOps Artifacts
Overview
The keyrings.artifacts
backend integrates with the keyring
library to provide authentication for publishing or consuming Python packages to or from Azure Artifacts feeds within Azure DevOps. The package is a platform-agnostic, plain Python implementation of the original artifact-keyring package leverageging azure-identity, without its dependency on DotNet
.
The package is designed to be used with the pixi
, uv
or pip
package manager to authenticate with Azure DevOps Artifacts. It provides a secure and convenient way to store and retrieve credentials without exposing them in the source code or local configuration files.
Disclaimer
Warning: This package is in an early development stage and may contain bugs or other issues. It is recommended to use this package for local development and testing purposes only, and not in production environments or CI pipelines. Please report any issues or bugs you encounter to help us improve the package.
Acknowledgements
This package was heavily inspired by a pull request of tomporaer and javuc1 in Microsoft's artifacts-keyring
repository and their idea of a plain Python version. Since the PR has not been merged since February 2023, it seems unlikely that it will be merged, which led to the decision to create this package.
Installation
Detailed documentation on how to setup the usage can be found in the respective package manager documentation:
Note: As the
keyrings.artifacts
package is a drop-in replacement for the originalartifact-keyring
package and it supports the same methods (and more). To use thekeyrings.artifacts
package, follow the same installation and configuration instructions provided in the listed documentations below, but replace the package name accordingly.
pip
is available in the pip documentation.pixi
is available in the Pixi documentation.uv
is available in the uv documentation.
System-Wide Installation
Following the installation and configuration instructions in the pip documentation, keyring and third-party backends should best be installed system-wide. The simplest way to install the keyring
with keyrings.artifacts
-backend system-wide is to use pixi
, uv
(If don't know uv
yet, I suggest you to check it out here) and pipx
:
pixi
Note:
pixi
does not yet support global multi-package installations (it's planned for the future, see the Pixi Global Manifest). To work around this, you can instead globally installkeyrings.artifacts
andkeyring
will be installed automatically as a dependency and its executable will be linked accordingly.
# Install keyring and keyrings.artifacts globally from conda-forge using pixi
pixi global install --environment keyring --expose keyring keyring keyrings.artifacts
uv
# Install keyring and the keyrings.artifacts from PyPI using uv
uv tool install keyring --with keyrings.artifacts
pipx
# Install keyring from PyPI using pipx and inject the keyrings.artifacts package
$ pipx install keyring && pipx inject keyring keyrings.artifacts
Usage
Command Line
If you don't have a token stored in the system keyring, you can fetch and store it interactively using the keyring
command line tool:
$ keyring get https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/pypi/simple/ VssSessionToken
If you already have a token stored in the system keyring and want to update it, you can use the keyring
command line tool:
# first delete the existing token
$ keyring del https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/pypi/simple/ VssSessionToken
# then fetch and store the new token
$ keyring get https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/pypi/simple/ VssSessionToken
Note:
keyrings.artifacts
package handles the token refresh of expired tokens automatically, so you don't need to worry about it. 🤓
How It Works
The keyrings.artifacts
package extends the keyring
library to securely manage credentials for Azure DevOps Artifacts. It supports authentication using either bearer tokens or personal access tokens (PATs), configurable via the KEYRINGS_ARTIFACTS_USE_BEARER_TOKEN
environment variable (default is False
).
Authentication Methods
The package supports two authentication methods:
-
Bearer Token Authentication: Set
KEYRINGS_ARTIFACTS_USE_BEARER_TOKEN
toTrue
to use bearer tokens. Authentication methods for obtaining a bearer token include:- Using environment variables for the
EnvironmentCredential
provider. This provider is capable of authenticating as a service principal using a client secret or a certificate, or as a user with a username and password, and requires setting a few environment variables. Learn more - Requesting a token from the Azure CLI (requires prior
az login
). Learn more - Shared token cache. Learn more
- Interactive browser-based authentication. Learn more
- Device code authentication. Learn more
- Using environment variables for the
-
Personal Access Token (PAT) Authentication: To use a personal access token (PAT), set
KEYRINGS_ARTIFACTS_USE_BEARER_TOKEN
toFalse
. The package will automatically manage the PAT as follows:-
If the
AZURE_DEVOPS_EXT_PAT
environment variable is set, this token will be used. -
If
AZURE_DEVOPS_EXT_PAT
is not set, the package will look for a stored PAT in the system keyring. -
If no PAT is found, a new PAT will be generated and stored in the system keyring. The duration of the PAT can be configured using the
AZURE_DEVOPS_PAT_DURATION
environment variable (default is 365 days).Note: To generate a new PAT, an intermediate bearer token authentication is required. The bearer token can be obtained using any of the methods mentioned above.
Any new PAT will be stored in the system keyring for future use. Depending on the operating system, the following keyrings are used:
- Windows: Stored in Windows Credential Manager.
- macOS: Stored in macOS Keychain.
- Linux: Stored in the Secret Service API via
dbus
or in an encrypted file usingkeyrings.alt.EncryptedKeyring
.
Note: For more information on setting up and configuring system keyrings, refer to the keyring documentation.
-
Configuration Guidelines
Environment Variables
-
General Configuration:
KEYRINGS_ARTIFACTS_USE_BEARER_TOKEN
: Set toTrue
to use bearer tokens,False
to use PATs (default isFalse
).
-
Personal Access Token (PAT) Configuration:
AZURE_DEVOPS_EXT_PAT
: This environment variable can be used to set a PAT for the package to use.AZURE_DEVOPS_PAT_DURATION
: If a new PAT is generated, this environment variable sets the duration of the PAT in days (default is 365 days).
-
Bearer Token Configuration:
- Details about the environment variables required for the
EnvironmentCredential
provider can be found in the Azure Identity documentation.
- Details about the environment variables required for the
Contributing
We welcome contributions to this project. Please refer to our Contributing Guidelines for more information on how to get involved.
Pixi package manager
We use pixi
as our project and package manager. pixi
is a cross-platform, multi-language package manager and workflow tool built on the foundation of the conda ecosystem. It provides developers with an experience similar to popular package managers like cargo or yarn, but for any language. Some of its key features include:
- Support for conda and PyPi packages, with global dependency resolution.
- Always includes an up-to-date lock file.
- Entirely written in Rust, making it super fast.
For more information on doing Python development with pixi
, please refer to this tutorial.
Installing requirements
Once you've cloned the repository, you can prepare the project by executing:
pixi install -e dev
pixi run post-install
These commands install the necessary packages, set up the pre-commit hooks, and prepare the project for development. Verify the installation by running
pixi list
You should see the packages installed in the list.
For more detailed instructions on setting up your environment, including the use of the pixi
package manager, refer to the Setting Up Your Development Environment section in CONTRIBUTING.md
.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file keyrings_artifacts-0.5.0.tar.gz
.
File metadata
- Download URL: keyrings_artifacts-0.5.0.tar.gz
- Upload date:
- Size: 14.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 51dbecb706dc528719ee799f2ec911b03a831c07ba2a37bf6e606f299220fc70 |
|
MD5 | 691d3298c810aeb83d5988e1bd22ac08 |
|
BLAKE2b-256 | 6275b6f31856727843553c578e3fa3df3b58273c394c484732362f6579653fb1 |
File details
Details for the file keyrings_artifacts-0.5.0-py3-none-any.whl
.
File metadata
- Download URL: keyrings_artifacts-0.5.0-py3-none-any.whl
- Upload date:
- Size: 15.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 88b2da9cd96f3729d36f715bc0afb93369c7584df130288dd978efc51c4b6f15 |
|
MD5 | 4c28b085721f322ee3801ea47cc4232d |
|
BLAKE2b-256 | eb43a0d02ec8874f343a50408c0ecd7d70e90697dd40917153fd151e400f886d |